The Birdmanand Cospas-Sarsat Satellites

WHO WE ARE

360 TECHNOLOGYSecurity Research Institute

Unicorn Team

SDRSharp

Airspy

GNU Radio

SDR Console

Common Tools

PlutoSDR

Satellite orbitSatellite TLE data by NORAD(North American Aerospace Defense Command)

SGP4 SDP4 SGP8 SDP8

LEO

GEOMEO

MEO

GEOLEO

For tracking those flyingsatellites we need an auto-tracking antenna.OpenATS made by myself.

L-band Gain�15~16dBiLNA Gain�50dBLNA Noise Factor: 0.7dBAntenna Diameter: 0.9m

How to catch LEO orbit satellite?

OpenATS https://github.com/openats/openats

Found something unusual�

It’s looks like an analog signal with the doppler shift.The signal’s center frequency is 1544.5MHzWow!

I can hear someone is speaking !!!

Found something unusual�

L-band1544.5MHz?

• Frequency range : 1GHz – 2GHz• Mainly used for aviation and marine communications, access to

terrestrial information via satellite.• Be classified as meteorological satellites, navigation satellites, and

communication satellites.

L-Band

It’s a system called COSPAS-SARSAT,which downlink frequency is 1544.5MHz, from NOAA-18 satellite.

1544.5MHz

What’s the COSPAS-SARSAT�

COSPAS-SARSATSearch And Rescue Satellites-Aided Tracking System

The first satellite “COSPAS-1” launched in 1982.The four original member nations:Soviet Union, United States, Canada and France

ELT

Beacons can be activated either manuallyor automatically when you are in danger. The beacons also can transmit a GPS position within a distress alert.

Aviation Personal portable MaritimeEPIRB

Emergency Beacons

PLB

User states and organizations that operate 94 LUTs(local user terminal) station and 34+ MCCs(mission control centers)worldwide.

Ground Stations

JPSS-1(NOAA-20)Metop-C

Satellites

A Great SystemSince the inception of the system in 1982, more than 41,000 rescues havebeen supported and over 35,000 lives have been rescued worldwide.That’s a great system !

Rescue video provide by NOAA

What is the content of the distress signal?

Find the protocol for the SARSAT system from official documents

https://cospas-sarsat.int/en/beacon-regulations-handbook

0x01

• Modulation : BPSK • Sambol Rate : 400bps• 3dB Bandwidth :

406.025MHz/406.050MHz(80KHz)• Uplink power : 35~39dBm/3W~8W• Uplink Freq �

406MHz (406.025MHz,406.050MHz…)• Downlink Freq :

1544.5MHz (NOAA,GOES,GPS,METOP)1541.45MHz (Inmarsat)1544.1MHz (Galileo)1544.9MHz (Glonass)2226.47234MHz (GPS-��DASS)4503.385MHz/4504.2MHz/4507.0MHz (INSAT)

0x02Get important informations of this system.

Beacon+������

NOAA

InmarsatF3

Beacon

0x03Decode the SARSAT messages through EpirbPlotter and MULTIPSK.

SARSAT Satellites

• GOES• GPS • GALILEO• GLONASS-K• FENGYUN• INMARSAT• INSAT• ELECTRO-L

• NOAA • METOP• NPOESS• BEIDOU• DASS…

• More than 2,000,000 users• 67 satellites online now• 94 LUT stations• 34+ MCC control centers

Let’s do a loopback test�

Build a project for TEST Tool send data to the GNU Radio ,GNURadio send data by PlutoSDR

SDRGNURadio

Airspy MULTIPSK

HackSAR

Send the fake SarsatMessage.

406MHz

Receive the false Sarsat message.

SDR

1544.5MHz

Send the fakeSarsat Message.

SDR SDR

430MHz

DDos attack

Actually achievable Actually test

Decode it.

The test was operated at 430 MHz, so it did not affect the satellites.

me

5

Antenna

DIY Transmitting and Receiving System

4

1 2 3

What impact does this vulnerability have?

If someone attackone of the satellites, he will attack the entire SARSAT system around the world.

Spy Machine

Interphonemode

007 mode

If someone is using the illegal machines to send information through the SARSAT satellites, he can even use his own modulation and encryption. Only one intercom can decode out information.

67 SARSAT satellites in the air

If B in Germany sends a message via satellite ELEKTRO-L2, D can receive it in Australia.

Hello ?

Uh hum?

They can use satellites as repeaters to send their own encrypted and modulated messages.

Maybe spy already using it�

Send the fake SarsatMessage.

406MHz

Receive the false Sarsat message.

SDR

1.544GHz~1.545GHzDDos attack

DDos Attack Stealing links

Send theencrypted intelligence.

406MHz

Get theintelligence.

SDR

1.544GHz~1.545GHz

Unknow signal.

1.544GHz~1.545GHz

Blocking interference calculationSatellite receiver designed for high sensitivity(about -160dBm), the receive level range for SARP and SARR is �-164~-137dBw, we set up a typical 406MHz high-power radio with a transmit power of 30W(44.77dBm), the orbital altitude of NOAA-19 is 865km,we calculate it based on the free space loss formula �

Ls = 32.45+20xlog865+20xlog406=143.36dBThe signal level to the satellite is �

44.77dBm-143.36dB= -98.59dBm = -128.59dBwThe max signal level of the payload is -137.2dBw, that will cause the load to receive blocking interference ,unable to receive beacon from terminal.The min signal level can be received is: -160dBm+143.36dB= -16.64dBmAnyway ,that’s will cause interference to polar orbiting satellites more than -16.64dBm power.

Conclusion

l Anyone can receive and decode messages through the L-band antenna.

l The satellite payload is too sensitivity , very easy to interferenceand DDOS attacks.

l Everyone can send false message to the satellite.

l The satellite link can be stolen.

So much interference

EnglandAustralia

It is illegal to transmit information on 406MHz !!!

Most intercoms can be sent and receive at 400~470MHz.This is why so many interferences can be found in the downlink of the satellites.My friend helped me to record some signal in Australia, UK and the US. We can see that the system is very common interference.

I want to say :

Please do not interfere this system,We need this system to save more people.They are saving our lives.

������

• COSPAS-SARSAT: https://cospas-sarsat.int/en• Register your beacon: https://www.406registration.com• 360 Technology Home page: https://www.360.cn• My home page: http://www.chnsatcom.com• Twitter: Rasiel_J

@uhf_satcom @sam210723

�����